Five worthy reads is a regular column on five noteworthy items we’ve discovered while researching trending and timeless topics. This week we are exploring the concept of supply chain cybersecurity in a time when there is a rising number of third-party cyberattacks.
The top-of-the-mind priority for cybersecurity stakeholders is to secure the organizations’ IT assets with state-of-the art IT tools and best practices. These steps help strengthen the organizations’ fortresses. Often overlooked is the huge threat to an organization that lies outside its perimeter—the risks associated with the vendors, consultants, or any external stake holders who constitute the supply chain links. This third-party risk raises the importance of supply chain security.
Traditional cyberattacks were direct, and focused on exploiting the vulnerabilities of the target organization. With the increased adoption of threat prevention security tools and practices, these organizations have become more secure. That being a hurdle, the cyber attackers have now turned to relatively weaker supply chain links that help them penetrate their targeted organizations.
You’re only as safe as your weakest link!
Why is that a major concern in 2021? COVID-19 has jolted organizations around the world towards fast-tracked cloud migrations and digital transformations. This seemingly overnight transition has added a new, unknown set of vulnerabilities to the current threat landscape. During the pandemic, many organizations pivoted from their business models, with some entering into mergers and some even going out of business. This phenomenon triggered chain reactions that altered the supplier landscape across the globe.
Most organizations are links in some supply chains in the business world. These organizations may not have visibility into the entire vendor network because, as these vendors engage with subcontractors, their visibility decreases further and risk increases.
An organization may be cyber vigilant within its perimeter. But how can data security be ensured if the organization is unaware of its data supply chain?
The pandemic-struck world has seen quite a few incidents of third-party breach. The news of a supply chain cyberattack in December 2020 shook the tech world when a group of hackers attacked a few United States government agencies, and the tech majors, including Microsoft and Cisco Systems. The hackers exploited the vulnerabilities in software used by these organizations. The hackers compromised the trusted software vendor SolarWinds, and embedded a malicious code. When the new software patch was rolled out, the attackers gained access to the targeted organizations.
Let’s look at five interesting articles about supply chain security, and learn how organizations can prevent third-party data breaches.
The SolarWinds supply chain attack exposes the vulnerabilities in an organzation’s operational and administrative control over a trusted vendor. The first step towards supply chain cyber resilience is assessing the supply chain risks, and integrating risk mitigation into the business processes. Supply chain design and management should explicitly discuss and maintain expectations from vendors regarding security and business continuity.
The key concern of supply chain security is understanding the organizational boundaries of security responsibilities. Certifications, such as the Cybersecurity Maturity Model Certification (CMMC) that is mandated by the U.S. Department of Defense for all its suppliers, provide a layer of assurance in supply chain security. Sharing information on cybersecurity among the supply chain links also helps to strengthen the network and develop trust.
With the advent of Industry 4.0 there has been an increase in the number of end points, and the amount of data created, and processed in these Industrial Internet of Things (IIoT) nodes. Increasing cybersecurity levels in the supply chain brings more value when all stake holders provide this assurance. With cybersecurity enforced as a legal mandate, and an ecosystem that promotes threat intelligence sharing, the supply chain becomes cyber resilient.
Organizations need a framework to categorize partners based on risk profile, followed by a cyber-risk analysis to understand the impact of each supplier, based on which clear risk transfer agreements are made between the organizations. Qualitative and quantitative risk assessments contribute to an ideal model that provides a better understanding of the risks posed by partners.
Many instances in 2020 help organizations learn and understand the magnitude of risks posed by third-party vendors. These range from a 650,000 records data leak from a health care organization because of a stolen laptop, to the massive breach of over 235 million records of Instagram, TikTok, and YouTube users. Other stories describe how a parts vendor compromised tech giants, including SpaceX, Tesla, Boeing, and Lockheed, and how a software developer left 10 million records in an unsecure server.
Ensuring fool proof supply chain security measures—establishing visibility into all the links in the supply chain, including in the sub contractors—is a challenging task. However, adopting best practices in third-party risk management helps reduce risks for organizations. With the assistance of legal and finance functions, organizations should set the right expectations on security controls with vendors during vendor onboarding. Threat intelligence sharing among the supply chain helps reduce cyber-risk, and improves trust among the supply chain links while showcasing an organization’s leadership.